Warmcat homepage andy@warmcat.com
libwebsockets
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1756236768, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"1b91bc3a445de30c3ad7d8d599956cd0", "commit": {"type":"commit", "time": 1427382117, "time_ofs": 0, "oid_tree": { "oid": "51edae5f881d512fc253259157cd635ad6e7b120", "alias": []}, "oid":{ "oid": "02a36fdae8cb503e2f88eac52eb3053431089397", "alias": []}, "msg": "Move more SSL3_RECORD oriented functions into ssl3_record.c", "sig_commit": { "git_time": { "time": 1427382117, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }, "sig_author": { "git_time": { "time": 1422810883, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }}, "body": "Move more SSL3_RECORD oriented functions into ssl3_record.c\n\nReviewed-by: Richard Levitte \u003clevitte@openssl.org\u003e\n" , "diff": "diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c\nindex 412d8e4..a1f3c56 100644\n--- a/ssl/record/ssl3_record.c\n+++ b/ssl/record/ssl3_record.c\n@@ -110,6 +110,26 @@\n */\n \n #include \u0022../ssl_locl.h\u0022\n+#include \u0022../../crypto/constant_time_locl.h\u0022\n+#include \u003copenssl/rand.h\u003e\n+\n+static const unsigned char ssl3_pad_1[48] \u003d {\n+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,\n+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,\n+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,\n+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,\n+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,\n+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36\n+};\n+\n+static const unsigned char ssl3_pad_2[48] \u003d {\n+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,\n+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,\n+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,\n+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,\n+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,\n+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c\n+};\n \n void SSL3_RECORD_clear(SSL3_RECORD *r)\n {\n@@ -485,6 +505,689 @@ int ssl3_do_compress(SSL *ssl)\n return (1);\n }\n \n+/*-\n+ * ssl3_enc encrypts/decrypts the record in |s-\u003ewrec| / |s-\u003errec|, respectively.\n+ *\n+ * Returns:\n+ * 0: (in non-constant time) if the record is publically invalid (i.e. too\n+ * short etc).\n+ * 1: if the record's padding is valid / the encryption was successful.\n+ * -1: if the record's padding is invalid or, if sending, an internal error\n+ * occurred.\n+ */\n+int ssl3_enc(SSL *s, int send)\n+{\n+ SSL3_RECORD *rec;\n+ EVP_CIPHER_CTX *ds;\n+ unsigned long l;\n+ int bs, i, mac_size \u003d 0;\n+ const EVP_CIPHER *enc;\n+\n+ if (send) {\n+ ds \u003d s-\u003eenc_write_ctx;\n+ rec \u003d RECORD_LAYER_get_wrec(\u0026s-\u003erlayer);\n+ if (s-\u003eenc_write_ctx \u003d\u003d NULL)\n+ enc \u003d NULL;\n+ else\n+ enc \u003d EVP_CIPHER_CTX_cipher(s-\u003eenc_write_ctx);\n+ } else {\n+ ds \u003d s-\u003eenc_read_ctx;\n+ rec \u003d RECORD_LAYER_get_rrec(\u0026s-\u003erlayer);\n+ if (s-\u003eenc_read_ctx \u003d\u003d NULL)\n+ enc \u003d NULL;\n+ else\n+ enc \u003d EVP_CIPHER_CTX_cipher(s-\u003eenc_read_ctx);\n+ }\n+\n+ if ((s-\u003esession \u003d\u003d NULL) || (ds \u003d\u003d NULL) || (enc \u003d\u003d NULL)) {\n+ memmove(rec-\u003edata, rec-\u003einput, rec-\u003elength);\n+ rec-\u003einput \u003d rec-\u003edata;\n+ } else {\n+ l \u003d rec-\u003elength;\n+ bs \u003d EVP_CIPHER_block_size(ds-\u003ecipher);\n+\n+ /* COMPRESS */\n+\n+ if ((bs !\u003d 1) \u0026\u0026 send) {\n+ i \u003d bs - ((int)l % bs);\n+\n+ /* we need to add 'i-1' padding bytes */\n+ l +\u003d i;\n+ /*\n+ * the last of these zero bytes will be overwritten with the\n+ * padding length.\n+ */\n+ memset(\u0026rec-\u003einput[rec-\u003elength], 0, i);\n+ rec-\u003elength +\u003d i;\n+ rec-\u003einput[l - 1] \u003d (i - 1);\n+ }\n+\n+ if (!send) {\n+ if (l \u003d\u003d 0 || l % bs !\u003d 0)\n+ return 0;\n+ /* otherwise, rec-\u003elength \u003e\u003d bs */\n+ }\n+\n+ if (EVP_Cipher(ds, rec-\u003edata, rec-\u003einput, l) \u003c 1)\n+ return -1;\n+\n+ if (EVP_MD_CTX_md(s-\u003eread_hash) !\u003d NULL)\n+ mac_size \u003d EVP_MD_CTX_size(s-\u003eread_hash);\n+ if ((bs !\u003d 1) \u0026\u0026 !send)\n+ return ssl3_cbc_remove_padding(s, rec, bs, mac_size);\n+ }\n+ return (1);\n+}\n+\n+/*-\n+ * tls1_enc encrypts/decrypts the record in |s-\u003ewrec| / |s-\u003errec|, respectively.\n+ *\n+ * Returns:\n+ * 0: (in non-constant time) if the record is publically invalid (i.e. too\n+ * short etc).\n+ * 1: if the record's padding is valid / the encryption was successful.\n+ * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,\n+ * an internal error occurred.\n+ */\n+int tls1_enc(SSL *s, int send)\n+{\n+ SSL3_RECORD *rec;\n+ EVP_CIPHER_CTX *ds;\n+ unsigned long l;\n+ int bs, i, j, k, pad \u003d 0, ret, mac_size \u003d 0;\n+ const EVP_CIPHER *enc;\n+\n+ if (send) {\n+ if (EVP_MD_CTX_md(s-\u003ewrite_hash)) {\n+ int n \u003d EVP_MD_CTX_size(s-\u003ewrite_hash);\n+ OPENSSL_assert(n \u003e\u003d 0);\n+ }\n+ ds \u003d s-\u003eenc_write_ctx;\n+ rec \u003d RECORD_LAYER_get_wrec(\u0026s-\u003erlayer);\n+ if (s-\u003eenc_write_ctx \u003d\u003d NULL)\n+ enc \u003d NULL;\n+ else {\n+ int ivlen;\n+ enc \u003d EVP_CIPHER_CTX_cipher(s-\u003eenc_write_ctx);\n+ /* For TLSv1.1 and later explicit IV */\n+ if (SSL_USE_EXPLICIT_IV(s)\n+ \u0026\u0026 EVP_CIPHER_mode(enc) \u003d\u003d EVP_CIPH_CBC_MODE)\n+ ivlen \u003d EVP_CIPHER_iv_length(enc);\n+ else\n+ ivlen \u003d 0;\n+ if (ivlen \u003e 1) {\n+ if (rec-\u003edata !\u003d rec-\u003einput)\n+ /*\n+ * we can't write into the input stream: Can this ever\n+ * happen?? (steve)\n+ */\n+ fprintf(stderr,\n+ \u0022%s:%d: rec-\u003edata !\u003d rec-\u003einput\u005cn\u0022,\n+ __FILE__, __LINE__);\n+ else if (RAND_bytes(rec-\u003einput, ivlen) \u003c\u003d 0)\n+ return -1;\n+ }\n+ }\n+ } else {\n+ if (EVP_MD_CTX_md(s-\u003eread_hash)) {\n+ int n \u003d EVP_MD_CTX_size(s-\u003eread_hash);\n+ OPENSSL_assert(n \u003e\u003d 0);\n+ }\n+ ds \u003d s-\u003eenc_read_ctx;\n+ rec \u003d RECORD_LAYER_get_rrec(\u0026s-\u003erlayer);\n+ if (s-\u003eenc_read_ctx \u003d\u003d NULL)\n+ enc \u003d NULL;\n+ else\n+ enc \u003d EVP_CIPHER_CTX_cipher(s-\u003eenc_read_ctx);\n+ }\n+\n+#ifdef KSSL_DEBUG\n+ fprintf(stderr, \u0022tls1_enc(%d)\u005cn\u0022, send);\n+#endif /* KSSL_DEBUG */\n+\n+ if ((s-\u003esession \u003d\u003d NULL) || (ds \u003d\u003d NULL) || (enc \u003d\u003d NULL)) {\n+ memmove(rec-\u003edata, rec-\u003einput, rec-\u003elength);\n+ rec-\u003einput \u003d rec-\u003edata;\n+ ret \u003d 1;\n+ } else {\n+ l \u003d rec-\u003elength;\n+ bs \u003d EVP_CIPHER_block_size(ds-\u003ecipher);\n+\n+ if (EVP_CIPHER_flags(ds-\u003ecipher) \u0026 EVP_CIPH_FLAG_AEAD_CIPHER) {\n+ unsigned char buf[13], *seq;\n+\n+ seq \u003d send ? s-\u003es3-\u003ewrite_sequence : s-\u003es3-\u003eread_sequence;\n+\n+ if (SSL_IS_DTLS(s)) {\n+ unsigned char dtlsseq[9], *p \u003d dtlsseq;\n+\n+ s2n(send ? s-\u003ed1-\u003ew_epoch : s-\u003ed1-\u003er_epoch, p);\n+ memcpy(p, \u0026seq[2], 6);\n+ memcpy(buf, dtlsseq, 8);\n+ } else {\n+ memcpy(buf, seq, 8);\n+ for (i \u003d 7; i \u003e\u003d 0; i--) { /* increment */\n+ ++seq[i];\n+ if (seq[i] !\u003d 0)\n+ break;\n+ }\n+ }\n+\n+ buf[8] \u003d rec-\u003etype;\n+ buf[9] \u003d (unsigned char)(s-\u003eversion \u003e\u003e 8);\n+ buf[10] \u003d (unsigned char)(s-\u003eversion);\n+ buf[11] \u003d rec-\u003elength \u003e\u003e 8;\n+ buf[12] \u003d rec-\u003elength \u0026 0xff;\n+ pad \u003d EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf);\n+ if (send) {\n+ l +\u003d pad;\n+ rec-\u003elength +\u003d pad;\n+ }\n+ } else if ((bs !\u003d 1) \u0026\u0026 send) {\n+ i \u003d bs - ((int)l % bs);\n+\n+ /* Add weird padding of upto 256 bytes */\n+\n+ /* we need to add 'i' padding bytes of value j */\n+ j \u003d i - 1;\n+ if (s-\u003eoptions \u0026 SSL_OP_TLS_BLOCK_PADDING_BUG) {\n+ if (s-\u003es3-\u003eflags \u0026 TLS1_FLAGS_TLS_PADDING_BUG)\n+ j++;\n+ }\n+ for (k \u003d (int)l; k \u003c (int)(l + i); k++)\n+ rec-\u003einput[k] \u003d j;\n+ l +\u003d i;\n+ rec-\u003elength +\u003d i;\n+ }\n+#ifdef KSSL_DEBUG\n+ {\n+ unsigned long ui;\n+ fprintf(stderr,\n+ \u0022EVP_Cipher(ds\u003d%p,rec-\u003edata\u003d%p,rec-\u003einput\u003d%p,l\u003d%ld) \u003d\u003d\u003e\u005cn\u0022,\n+ ds, rec-\u003edata, rec-\u003einput, l);\n+ fprintf(stderr,\n+ \u0022\u005ctEVP_CIPHER_CTX: %d buf_len, %d key_len [%lu %lu], %d iv_len\u005cn\u0022,\n+ ds-\u003ebuf_len, ds-\u003ecipher-\u003ekey_len, DES_KEY_SZ,\n+ DES_SCHEDULE_SZ, ds-\u003ecipher-\u003eiv_len);\n+ fprintf(stderr, \u0022\u005ct\u005ctIV: \u0022);\n+ for (i \u003d 0; i \u003c ds-\u003ecipher-\u003eiv_len; i++)\n+ fprintf(stderr, \u0022%02X\u0022, ds-\u003eiv[i]);\n+ fprintf(stderr, \u0022\u005cn\u0022);\n+ fprintf(stderr, \u0022\u005ctrec-\u003einput\u003d\u0022);\n+ for (ui \u003d 0; ui \u003c l; ui++)\n+ fprintf(stderr, \u0022 %02x\u0022, rec-\u003einput[ui]);\n+ fprintf(stderr, \u0022\u005cn\u0022);\n+ }\n+#endif /* KSSL_DEBUG */\n+\n+ if (!send) {\n+ if (l \u003d\u003d 0 || l % bs !\u003d 0)\n+ return 0;\n+ }\n+\n+ i \u003d EVP_Cipher(ds, rec-\u003edata, rec-\u003einput, l);\n+ if ((EVP_CIPHER_flags(ds-\u003ecipher) \u0026 EVP_CIPH_FLAG_CUSTOM_CIPHER)\n+ ? (i \u003c 0)\n+ : (i \u003d\u003d 0))\n+ return -1; /* AEAD can fail to verify MAC */\n+ if (EVP_CIPHER_mode(enc) \u003d\u003d EVP_CIPH_GCM_MODE \u0026\u0026 !send) {\n+ rec-\u003edata +\u003d EVP_GCM_TLS_EXPLICIT_IV_LEN;\n+ rec-\u003einput +\u003d EVP_GCM_TLS_EXPLICIT_IV_LEN;\n+ rec-\u003elength -\u003d EVP_GCM_TLS_EXPLICIT_IV_LEN;\n+ }\n+#ifdef KSSL_DEBUG\n+ {\n+ unsigned long i;\n+ fprintf(stderr, \u0022\u005ctrec-\u003edata\u003d\u0022);\n+ for (i \u003d 0; i \u003c l; i++)\n+ fprintf(stderr, \u0022 %02x\u0022, rec-\u003edata[i]);\n+ fprintf(stderr, \u0022\u005cn\u0022);\n+ }\n+#endif /* KSSL_DEBUG */\n+\n+ ret \u003d 1;\n+ if (!SSL_USE_ETM(s) \u0026\u0026 EVP_MD_CTX_md(s-\u003eread_hash) !\u003d NULL)\n+ mac_size \u003d EVP_MD_CTX_size(s-\u003eread_hash);\n+ if ((bs !\u003d 1) \u0026\u0026 !send)\n+ ret \u003d tls1_cbc_remove_padding(s, rec, bs, mac_size);\n+ if (pad \u0026\u0026 !send)\n+ rec-\u003elength -\u003d pad;\n+ }\n+ return ret;\n+}\n+\n+int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)\n+{\n+ SSL3_RECORD *rec;\n+ unsigned char *mac_sec, *seq;\n+ EVP_MD_CTX md_ctx;\n+ const EVP_MD_CTX *hash;\n+ unsigned char *p, rec_char;\n+ size_t md_size;\n+ int npad;\n+ int t;\n+\n+ if (send) {\n+ rec \u003d RECORD_LAYER_get_wrec(\u0026ssl-\u003erlayer);\n+ mac_sec \u003d \u0026(ssl-\u003es3-\u003ewrite_mac_secret[0]);\n+ seq \u003d \u0026(ssl-\u003es3-\u003ewrite_sequence[0]);\n+ hash \u003d ssl-\u003ewrite_hash;\n+ } else {\n+ rec \u003d RECORD_LAYER_get_rrec(\u0026ssl-\u003erlayer);\n+ mac_sec \u003d \u0026(ssl-\u003es3-\u003eread_mac_secret[0]);\n+ seq \u003d \u0026(ssl-\u003es3-\u003eread_sequence[0]);\n+ hash \u003d ssl-\u003eread_hash;\n+ }\n+\n+ t \u003d EVP_MD_CTX_size(hash);\n+ if (t \u003c 0)\n+ return -1;\n+ md_size \u003d t;\n+ npad \u003d (48 / md_size) * md_size;\n+\n+ if (!send \u0026\u0026\n+ EVP_CIPHER_CTX_mode(ssl-\u003eenc_read_ctx) \u003d\u003d EVP_CIPH_CBC_MODE \u0026\u0026\n+ ssl3_cbc_record_digest_supported(hash)) {\n+ /*\n+ * This is a CBC-encrypted record. We must avoid leaking any\n+ * timing-side channel information about how many blocks of data we\n+ * are hashing because that gives an attacker a timing-oracle.\n+ */\n+\n+ /*-\n+ * npad is, at most, 48 bytes and that's with MD5:\n+ * 16 + 48 + 8 (sequence bytes) + 1 + 2 \u003d 75.\n+ *\n+ * With SHA-1 (the largest hash speced for SSLv3) the hash size\n+ * goes up 4, but npad goes down by 8, resulting in a smaller\n+ * total size.\n+ */\n+ unsigned char header[75];\n+ unsigned j \u003d 0;\n+ memcpy(header + j, mac_sec, md_size);\n+ j +\u003d md_size;\n+ memcpy(header + j, ssl3_pad_1, npad);\n+ j +\u003d npad;\n+ memcpy(header + j, seq, 8);\n+ j +\u003d 8;\n+ header[j++] \u003d rec-\u003etype;\n+ header[j++] \u003d rec-\u003elength \u003e\u003e 8;\n+ header[j++] \u003d rec-\u003elength \u0026 0xff;\n+\n+ /* Final param \u003d\u003d is SSLv3 */\n+ ssl3_cbc_digest_record(hash,\n+ md, \u0026md_size,\n+ header, rec-\u003einput,\n+ rec-\u003elength + md_size, rec-\u003eorig_len,\n+ mac_sec, md_size, 1);\n+ } else {\n+ unsigned int md_size_u;\n+ /* Chop the digest off the end :-) */\n+ EVP_MD_CTX_init(\u0026md_ctx);\n+\n+ EVP_MD_CTX_copy_ex(\u0026md_ctx, hash);\n+ EVP_DigestUpdate(\u0026md_ctx, mac_sec, md_size);\n+ EVP_DigestUpdate(\u0026md_ctx, ssl3_pad_1, npad);\n+ EVP_DigestUpdate(\u0026md_ctx, seq, 8);\n+ rec_char \u003d rec-\u003etype;\n+ EVP_DigestUpdate(\u0026md_ctx, \u0026rec_char, 1);\n+ p \u003d md;\n+ s2n(rec-\u003elength, p);\n+ EVP_DigestUpdate(\u0026md_ctx, md, 2);\n+ EVP_DigestUpdate(\u0026md_ctx, rec-\u003einput, rec-\u003elength);\n+ EVP_DigestFinal_ex(\u0026md_ctx, md, NULL);\n+\n+ EVP_MD_CTX_copy_ex(\u0026md_ctx, hash);\n+ EVP_DigestUpdate(\u0026md_ctx, mac_sec, md_size);\n+ EVP_DigestUpdate(\u0026md_ctx, ssl3_pad_2, npad);\n+ EVP_DigestUpdate(\u0026md_ctx, md, md_size);\n+ EVP_DigestFinal_ex(\u0026md_ctx, md, \u0026md_size_u);\n+ md_size \u003d md_size_u;\n+\n+ EVP_MD_CTX_cleanup(\u0026md_ctx);\n+ }\n+\n+ ssl3_record_sequence_update(seq);\n+ return (md_size);\n+}\n+\n+int tls1_mac(SSL *ssl, unsigned char *md, int send)\n+{\n+ SSL3_RECORD *rec;\n+ unsigned char *seq;\n+ EVP_MD_CTX *hash;\n+ size_t md_size;\n+ int i;\n+ EVP_MD_CTX hmac, *mac_ctx;\n+ unsigned char header[13];\n+ int stream_mac \u003d (send ? (ssl-\u003emac_flags \u0026 SSL_MAC_FLAG_WRITE_MAC_STREAM)\n+ : (ssl-\u003emac_flags \u0026 SSL_MAC_FLAG_READ_MAC_STREAM));\n+ int t;\n+\n+ if (send) {\n+ rec \u003d RECORD_LAYER_get_wrec(\u0026ssl-\u003erlayer);\n+ seq \u003d \u0026(ssl-\u003es3-\u003ewrite_sequence[0]);\n+ hash \u003d ssl-\u003ewrite_hash;\n+ } else {\n+ rec \u003d RECORD_LAYER_get_rrec(\u0026ssl-\u003erlayer);\n+ seq \u003d \u0026(ssl-\u003es3-\u003eread_sequence[0]);\n+ hash \u003d ssl-\u003eread_hash;\n+ }\n+\n+ t \u003d EVP_MD_CTX_size(hash);\n+ OPENSSL_assert(t \u003e\u003d 0);\n+ md_size \u003d t;\n+\n+ /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */\n+ if (stream_mac) {\n+ mac_ctx \u003d hash;\n+ } else {\n+ if (!EVP_MD_CTX_copy(\u0026hmac, hash))\n+ return -1;\n+ mac_ctx \u003d \u0026hmac;\n+ }\n+\n+ if (SSL_IS_DTLS(ssl)) {\n+ unsigned char dtlsseq[8], *p \u003d dtlsseq;\n+\n+ s2n(send ? ssl-\u003ed1-\u003ew_epoch : ssl-\u003ed1-\u003er_epoch, p);\n+ memcpy(p, \u0026seq[2], 6);\n+\n+ memcpy(header, dtlsseq, 8);\n+ } else\n+ memcpy(header, seq, 8);\n+\n+ header[8] \u003d rec-\u003etype;\n+ header[9] \u003d (unsigned char)(ssl-\u003eversion \u003e\u003e 8);\n+ header[10] \u003d (unsigned char)(ssl-\u003eversion);\n+ header[11] \u003d (rec-\u003elength) \u003e\u003e 8;\n+ header[12] \u003d (rec-\u003elength) \u0026 0xff;\n+\n+ if (!send \u0026\u0026 !SSL_USE_ETM(ssl) \u0026\u0026\n+ EVP_CIPHER_CTX_mode(ssl-\u003eenc_read_ctx) \u003d\u003d EVP_CIPH_CBC_MODE \u0026\u0026\n+ ssl3_cbc_record_digest_supported(mac_ctx)) {\n+ /*\n+ * This is a CBC-encrypted record. We must avoid leaking any\n+ * timing-side channel information about how many blocks of data we\n+ * are hashing because that gives an attacker a timing-oracle.\n+ */\n+ /* Final param \u003d\u003d not SSLv3 */\n+ ssl3_cbc_digest_record(mac_ctx,\n+ md, \u0026md_size,\n+ header, rec-\u003einput,\n+ rec-\u003elength + md_size, rec-\u003eorig_len,\n+ ssl-\u003es3-\u003eread_mac_secret,\n+ ssl-\u003es3-\u003eread_mac_secret_size, 0);\n+ } else {\n+ EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));\n+ EVP_DigestSignUpdate(mac_ctx, rec-\u003einput, rec-\u003elength);\n+ t \u003d EVP_DigestSignFinal(mac_ctx, md, \u0026md_size);\n+ OPENSSL_assert(t \u003e 0);\n+ if (!send \u0026\u0026 !SSL_USE_ETM(ssl) \u0026\u0026 FIPS_mode())\n+ tls_fips_digest_extra(ssl-\u003eenc_read_ctx,\n+ mac_ctx, rec-\u003einput,\n+ rec-\u003elength, rec-\u003eorig_len);\n+ }\n+\n+ if (!stream_mac)\n+ EVP_MD_CTX_cleanup(\u0026hmac);\n+#ifdef TLS_DEBUG\n+ fprintf(stderr, \u0022seq\u003d\u0022);\n+ {\n+ int z;\n+ for (z \u003d 0; z \u003c 8; z++)\n+ fprintf(stderr, \u0022%02X \u0022, seq[z]);\n+ fprintf(stderr, \u0022\u005cn\u0022);\n+ }\n+ fprintf(stderr, \u0022rec\u003d\u0022);\n+ {\n+ unsigned int z;\n+ for (z \u003d 0; z \u003c rec-\u003elength; z++)\n+ fprintf(stderr, \u0022%02X \u0022, rec-\u003edata[z]);\n+ fprintf(stderr, \u0022\u005cn\u0022);\n+ }\n+#endif\n+\n+ if (!SSL_IS_DTLS(ssl)) {\n+ for (i \u003d 7; i \u003e\u003d 0; i--) {\n+ ++seq[i];\n+ if (seq[i] !\u003d 0)\n+ break;\n+ }\n+ }\n+#ifdef TLS_DEBUG\n+ {\n+ unsigned int z;\n+ for (z \u003d 0; z \u003c md_size; z++)\n+ fprintf(stderr, \u0022%02X \u0022, md[z]);\n+ fprintf(stderr, \u0022\u005cn\u0022);\n+ }\n+#endif\n+ return (md_size);\n+}\n+\n+/*-\n+ * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC\n+ * record in |rec| by updating |rec-\u003elength| in constant time.\n+ *\n+ * block_size: the block size of the cipher used to encrypt the record.\n+ * returns:\n+ * 0: (in non-constant time) if the record is publicly invalid.\n+ * 1: if the padding was valid\n+ * -1: otherwise.\n+ */\n+int ssl3_cbc_remove_padding(const SSL *s,\n+ SSL3_RECORD *rec,\n+ unsigned block_size, unsigned mac_size)\n+{\n+ unsigned padding_length, good;\n+ const unsigned overhead \u003d 1 /* padding length byte */ + mac_size;\n+\n+ /*\n+ * These lengths are all public so we can test them in non-constant time.\n+ */\n+ if (overhead \u003e rec-\u003elength)\n+ return 0;\n+\n+ padding_length \u003d rec-\u003edata[rec-\u003elength - 1];\n+ good \u003d constant_time_ge(rec-\u003elength, padding_length + overhead);\n+ /* SSLv3 requires that the padding is minimal. */\n+ good \u0026\u003d constant_time_ge(block_size, padding_length + 1);\n+ rec-\u003elength -\u003d good \u0026 (padding_length + 1);\n+ return constant_time_select_int(good, 1, -1);\n+}\n+\n+/*-\n+ * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC\n+ * record in |rec| in constant time and returns 1 if the padding is valid and\n+ * -1 otherwise. It also removes any explicit IV from the start of the record\n+ * without leaking any timing about whether there was enough space after the\n+ * padding was removed.\n+ *\n+ * block_size: the block size of the cipher used to encrypt the record.\n+ * returns:\n+ * 0: (in non-constant time) if the record is publicly invalid.\n+ * 1: if the padding was valid\n+ * -1: otherwise.\n+ */\n+int tls1_cbc_remove_padding(const SSL *s,\n+ SSL3_RECORD *rec,\n+ unsigned block_size, unsigned mac_size)\n+{\n+ unsigned padding_length, good, to_check, i;\n+ const unsigned overhead \u003d 1 /* padding length byte */ + mac_size;\n+ /* Check if version requires explicit IV */\n+ if (SSL_USE_EXPLICIT_IV(s)) {\n+ /*\n+ * These lengths are all public so we can test them in non-constant\n+ * time.\n+ */\n+ if (overhead + block_size \u003e rec-\u003elength)\n+ return 0;\n+ /* We can now safely skip explicit IV */\n+ rec-\u003edata +\u003d block_size;\n+ rec-\u003einput +\u003d block_size;\n+ rec-\u003elength -\u003d block_size;\n+ rec-\u003eorig_len -\u003d block_size;\n+ } else if (overhead \u003e rec-\u003elength)\n+ return 0;\n+\n+ padding_length \u003d rec-\u003edata[rec-\u003elength - 1];\n+\n+ /*\n+ * NB: if compression is in operation the first packet may not be of even\n+ * length so the padding bug check cannot be performed. This bug\n+ * workaround has been around since SSLeay so hopefully it is either\n+ * fixed now or no buggy implementation supports compression [steve]\n+ */\n+ if ((s-\u003eoptions \u0026 SSL_OP_TLS_BLOCK_PADDING_BUG) \u0026\u0026 !s-\u003eexpand) {\n+ /* First packet is even in size, so check */\n+ if ((memcmp(s-\u003es3-\u003eread_sequence, \u0022\u005c0\u005c0\u005c0\u005c0\u005c0\u005c0\u005c0\u005c0\u0022, 8) \u003d\u003d 0) \u0026\u0026\n+ !(padding_length \u0026 1)) {\n+ s-\u003es3-\u003eflags |\u003d TLS1_FLAGS_TLS_PADDING_BUG;\n+ }\n+ if ((s-\u003es3-\u003eflags \u0026 TLS1_FLAGS_TLS_PADDING_BUG) \u0026\u0026 padding_length \u003e 0) {\n+ padding_length--;\n+ }\n+ }\n+\n+ if (EVP_CIPHER_flags(s-\u003eenc_read_ctx-\u003ecipher) \u0026 EVP_CIPH_FLAG_AEAD_CIPHER) {\n+ /* padding is already verified */\n+ rec-\u003elength -\u003d padding_length + 1;\n+ return 1;\n+ }\n+\n+ good \u003d constant_time_ge(rec-\u003elength, overhead + padding_length);\n+ /*\n+ * The padding consists of a length byte at the end of the record and\n+ * then that many bytes of padding, all with the same value as the length\n+ * byte. Thus, with the length byte included, there are i+1 bytes of\n+ * padding. We can't check just |padding_length+1| bytes because that\n+ * leaks decrypted information. Therefore we always have to check the\n+ * maximum amount of padding possible. (Again, the length of the record\n+ * is public information so we can use it.)\n+ */\n+ to_check \u003d 255; /* maximum amount of padding. */\n+ if (to_check \u003e rec-\u003elength - 1)\n+ to_check \u003d rec-\u003elength - 1;\n+\n+ for (i \u003d 0; i \u003c to_check; i++) {\n+ unsigned char mask \u003d constant_time_ge_8(padding_length, i);\n+ unsigned char b \u003d rec-\u003edata[rec-\u003elength - 1 - i];\n+ /*\n+ * The final |padding_length+1| bytes should all have the value\n+ * |padding_length|. Therefore the XOR should be zero.\n+ */\n+ good \u0026\u003d ~(mask \u0026 (padding_length ^ b));\n+ }\n+\n+ /*\n+ * If any of the final |padding_length+1| bytes had the wrong value, one\n+ * or more of the lower eight bits of |good| will be cleared.\n+ */\n+ good \u003d constant_time_eq(0xff, good \u0026 0xff);\n+ rec-\u003elength -\u003d good \u0026 (padding_length + 1);\n+\n+ return constant_time_select_int(good, 1, -1);\n+}\n+\n+/*-\n+ * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in\n+ * constant time (independent of the concrete value of rec-\u003elength, which may\n+ * vary within a 256-byte window).\n+ *\n+ * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to\n+ * this function.\n+ *\n+ * On entry:\n+ * rec-\u003eorig_len \u003e\u003d md_size\n+ * md_size \u003c\u003d EVP_MAX_MD_SIZE\n+ *\n+ * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with\n+ * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into\n+ * a single or pair of cache-lines, then the variable memory accesses don't\n+ * actually affect the timing. CPUs with smaller cache-lines [if any] are\n+ * not multi-core and are not considered vulnerable to cache-timing attacks.\n+ */\n+#define CBC_MAC_ROTATE_IN_PLACE\n+\n+void ssl3_cbc_copy_mac(unsigned char *out,\n+ const SSL3_RECORD *rec, unsigned md_size)\n+{\n+#if defined(CBC_MAC_ROTATE_IN_PLACE)\n+ unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];\n+ unsigned char *rotated_mac;\n+#else\n+ unsigned char rotated_mac[EVP_MAX_MD_SIZE];\n+#endif\n+\n+ /*\n+ * mac_end is the index of |rec-\u003edata| just after the end of the MAC.\n+ */\n+ unsigned mac_end \u003d rec-\u003elength;\n+ unsigned mac_start \u003d mac_end - md_size;\n+ /*\n+ * scan_start contains the number of bytes that we can ignore because the\n+ * MAC's position can only vary by 255 bytes.\n+ */\n+ unsigned scan_start \u003d 0;\n+ unsigned i, j;\n+ unsigned div_spoiler;\n+ unsigned rotate_offset;\n+\n+ OPENSSL_assert(rec-\u003eorig_len \u003e\u003d md_size);\n+ OPENSSL_assert(md_size \u003c\u003d EVP_MAX_MD_SIZE);\n+\n+#if defined(CBC_MAC_ROTATE_IN_PLACE)\n+ rotated_mac \u003d rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) \u0026 63);\n+#endif\n+\n+ /* This information is public so it's safe to branch based on it. */\n+ if (rec-\u003eorig_len \u003e md_size + 255 + 1)\n+ scan_start \u003d rec-\u003eorig_len - (md_size + 255 + 1);\n+ /*\n+ * div_spoiler contains a multiple of md_size that is used to cause the\n+ * modulo operation to be constant time. Without this, the time varies\n+ * based on the amount of padding when running on Intel chips at least.\n+ * The aim of right-shifting md_size is so that the compiler doesn't\n+ * figure out that it can remove div_spoiler as that would require it to\n+ * prove that md_size is always even, which I hope is beyond it.\n+ */\n+ div_spoiler \u003d md_size \u003e\u003e 1;\n+ div_spoiler \u003c\u003c\u003d (sizeof(div_spoiler) - 1) * 8;\n+ rotate_offset \u003d (div_spoiler + mac_start - scan_start) % md_size;\n+\n+ memset(rotated_mac, 0, md_size);\n+ for (i \u003d scan_start, j \u003d 0; i \u003c rec-\u003eorig_len; i++) {\n+ unsigned char mac_started \u003d constant_time_ge_8(i, mac_start);\n+ unsigned char mac_ended \u003d constant_time_ge_8(i, mac_end);\n+ unsigned char b \u003d rec-\u003edata[i];\n+ rotated_mac[j++] |\u003d b \u0026 mac_started \u0026 ~mac_ended;\n+ j \u0026\u003d constant_time_lt(j, md_size);\n+ }\n+\n+ /* Now rotate the MAC */\n+#if defined(CBC_MAC_ROTATE_IN_PLACE)\n+ j \u003d 0;\n+ for (i \u003d 0; i \u003c md_size; i++) {\n+ /* in case cache-line is 32 bytes, touch second line */\n+ ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];\n+ out[j++] \u003d rotated_mac[rotate_offset++];\n+ rotate_offset \u0026\u003d constant_time_lt(rotate_offset, md_size);\n+ }\n+#else\n+ memset(out, 0, md_size);\n+ rotate_offset \u003d md_size - rotate_offset;\n+ rotate_offset \u0026\u003d constant_time_lt(rotate_offset, md_size);\n+ for (i \u003d 0; i \u003c md_size; i++) {\n+ for (j \u003d 0; j \u003c md_size; j++)\n+ out[j] |\u003d rotated_mac[i] \u0026 constant_time_eq_8(j, rotate_offset);\n+ rotate_offset++;\n+ rotate_offset \u0026\u003d constant_time_lt(rotate_offset, md_size);\n+ }\n+#endif\n+}\n+\n int dtls1_process_record(SSL *s)\n {\n int i, al;\ndiff --git a/ssl/record/ssl3_record.h b/ssl/record/ssl3_record.h\nindex 7260403..574bf7f 100644\n--- a/ssl/record/ssl3_record.h\n+++ b/ssl/record/ssl3_record.h\n@@ -163,6 +163,17 @@ void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num);\n int ssl3_get_record(SSL *s);\n __owur int ssl3_do_compress(SSL *ssl);\n __owur int ssl3_do_uncompress(SSL *ssl);\n+__owur int ssl3_enc(SSL *s, int send_data);\n+__owur int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data);\n+__owur int tls1_enc(SSL *s, int snd);\n+__owur int tls1_mac(SSL *ssl, unsigned char *md, int snd);\n+void ssl3_cbc_copy_mac(unsigned char *out,\n+ const SSL3_RECORD *rec, unsigned md_size);\n+__owur int ssl3_cbc_remove_padding(const SSL *s,\n+ SSL3_RECORD *rec,\n+ unsigned block_size, unsigned mac_size);\n+__owur int tls1_cbc_remove_padding(const SSL *s,\n+ SSL3_RECORD *rec,\n+ unsigned block_size, unsigned mac_size);\n int dtls1_process_record(SSL *s);\n-int dtls1_get_record(SSL *s);\n-\n+__owur int dtls1_get_record(SSL *s);\ndiff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c\nindex 53e3c87..b20c564 100644\n--- a/ssl/s3_cbc.c\n+++ b/ssl/s3_cbc.c\n@@ -72,227 +72,7 @@\n */\n #define MAX_HASH_BLOCK_SIZE 128\n \n-/*-\n- * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC\n- * record in |rec| by updating |rec-\u003elength| in constant time.\n- *\n- * block_size: the block size of the cipher used to encrypt the record.\n- * returns:\n- * 0: (in non-constant time) if the record is publicly invalid.\n- * 1: if the padding was valid\n- * -1: otherwise.\n- */\n-int ssl3_cbc_remove_padding(const SSL *s,\n- SSL3_RECORD *rec,\n- unsigned block_size, unsigned mac_size)\n-{\n- unsigned padding_length, good;\n- const unsigned overhead \u003d 1 /* padding length byte */ + mac_size;\n-\n- /*\n- * These lengths are all public so we can test them in non-constant time.\n- */\n- if (overhead \u003e rec-\u003elength)\n- return 0;\n-\n- padding_length \u003d rec-\u003edata[rec-\u003elength - 1];\n- good \u003d constant_time_ge(rec-\u003elength, padding_length + overhead);\n- /* SSLv3 requires that the padding is minimal. */\n- good \u0026\u003d constant_time_ge(block_size, padding_length + 1);\n- rec-\u003elength -\u003d good \u0026 (padding_length + 1);\n- return constant_time_select_int(good, 1, -1);\n-}\n-\n-/*-\n- * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC\n- * record in |rec| in constant time and returns 1 if the padding is valid and\n- * -1 otherwise. It also removes any explicit IV from the start of the record\n- * without leaking any timing about whether there was enough space after the\n- * padding was removed.\n- *\n- * block_size: the block size of the cipher used to encrypt the record.\n- * returns:\n- * 0: (in non-constant time) if the record is publicly invalid.\n- * 1: if the padding was valid\n- * -1: otherwise.\n- */\n-int tls1_cbc_remove_padding(const SSL *s,\n- SSL3_RECORD *rec,\n- unsigned block_size, unsigned mac_size)\n-{\n- unsigned padding_length, good, to_check, i;\n- const unsigned overhead \u003d 1 /* padding length byte */ + mac_size;\n- /* Check if version requires explicit IV */\n- if (SSL_USE_EXPLICIT_IV(s)) {\n- /*\n- * These lengths are all public so we can test them in non-constant\n- * time.\n- */\n- if (overhead + block_size \u003e rec-\u003elength)\n- return 0;\n- /* We can now safely skip explicit IV */\n- rec-\u003edata +\u003d block_size;\n- rec-\u003einput +\u003d block_size;\n- rec-\u003elength -\u003d block_size;\n- rec-\u003eorig_len -\u003d block_size;\n- } else if (overhead \u003e rec-\u003elength)\n- return 0;\n-\n- padding_length \u003d rec-\u003edata[rec-\u003elength - 1];\n-\n- /*\n- * NB: if compression is in operation the first packet may not be of even\n- * length so the padding bug check cannot be performed. This bug\n- * workaround has been around since SSLeay so hopefully it is either\n- * fixed now or no buggy implementation supports compression [steve]\n- */\n- if ((s-\u003eoptions \u0026 SSL_OP_TLS_BLOCK_PADDING_BUG) \u0026\u0026 !s-\u003eexpand) {\n- /* First packet is even in size, so check */\n- if ((memcmp(s-\u003es3-\u003eread_sequence, \u0022\u005c0\u005c0\u005c0\u005c0\u005c0\u005c0\u005c0\u005c0\u0022, 8) \u003d\u003d 0) \u0026\u0026\n- !(padding_length \u0026 1)) {\n- s-\u003es3-\u003eflags |\u003d TLS1_FLAGS_TLS_PADDING_BUG;\n- }\n- if ((s-\u003es3-\u003eflags \u0026 TLS1_FLAGS_TLS_PADDING_BUG) \u0026\u0026 padding_length \u003e 0) {\n- padding_length--;\n- }\n- }\n-\n- if (EVP_CIPHER_flags(s-\u003eenc_read_ctx-\u003ecipher) \u0026 EVP_CIPH_FLAG_AEAD_CIPHER) {\n- /* padding is already verified */\n- rec-\u003elength -\u003d padding_length + 1;\n- return 1;\n- }\n-\n- good \u003d constant_time_ge(rec-\u003elength, overhead + padding_length);\n- /*\n- * The padding consists of a length byte at the end of the record and\n- * then that many bytes of padding, all with the same value as the length\n- * byte. Thus, with the length byte included, there are i+1 bytes of\n- * padding. We can't check just |padding_length+1| bytes because that\n- * leaks decrypted information. Therefore we always have to check the\n- * maximum amount of padding possible. (Again, the length of the record\n- * is public information so we can use it.)\n- */\n- to_check \u003d 255; /* maximum amount of padding. */\n- if (to_check \u003e rec-\u003elength - 1)\n- to_check \u003d rec-\u003elength - 1;\n-\n- for (i \u003d 0; i \u003c to_check; i++) {\n- unsigned char mask \u003d constant_time_ge_8(padding_length, i);\n- unsigned char b \u003d rec-\u003edata[rec-\u003elength - 1 - i];\n- /*\n- * The final |padding_length+1| bytes should all have the value\n- * |padding_length|. Therefore the XOR should be zero.\n- */\n- good \u0026\u003d ~(mask \u0026 (padding_length ^ b));\n- }\n-\n- /*\n- * If any of the final |padding_length+1| bytes had the wrong value, one\n- * or more of the lower eight bits of |good| will be cleared.\n- */\n- good \u003d constant_time_eq(0xff, good \u0026 0xff);\n- rec-\u003elength -\u003d good \u0026 (padding_length + 1);\n-\n- return constant_time_select_int(good, 1, -1);\n-}\n-\n-/*-\n- * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in\n- * constant time (independent of the concrete value of rec-\u003elength, which may\n- * vary within a 256-byte window).\n- *\n- * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to\n- * this function.\n- *\n- * On entry:\n- * rec-\u003eorig_len \u003e\u003d md_size\n- * md_size \u003c\u003d EVP_MAX_MD_SIZE\n- *\n- * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with\n- * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into\n- * a single or pair of cache-lines, then the variable memory accesses don't\n- * actually affect the timing. CPUs with smaller cache-lines [if any] are\n- * not multi-core and are not considered vulnerable to cache-timing attacks.\n- */\n-#define CBC_MAC_ROTATE_IN_PLACE\n-\n-void ssl3_cbc_copy_mac(unsigned char *out,\n- const SSL3_RECORD *rec, unsigned md_size)\n-{\n-#if defined(CBC_MAC_ROTATE_IN_PLACE)\n- unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];\n- unsigned char *rotated_mac;\n-#else\n- unsigned char rotated_mac[EVP_MAX_MD_SIZE];\n-#endif\n \n- /*\n- * mac_end is the index of |rec-\u003edata| just after the end of the MAC.\n- */\n- unsigned mac_end \u003d rec-\u003elength;\n- unsigned mac_start \u003d mac_end - md_size;\n- /*\n- * scan_start contains the number of bytes that we can ignore because the\n- * MAC's position can only vary by 255 bytes.\n- */\n- unsigned scan_start \u003d 0;\n- unsigned i, j;\n- unsigned div_spoiler;\n- unsigned rotate_offset;\n-\n- OPENSSL_assert(rec-\u003eorig_len \u003e\u003d md_size);\n- OPENSSL_assert(md_size \u003c\u003d EVP_MAX_MD_SIZE);\n-\n-#if defined(CBC_MAC_ROTATE_IN_PLACE)\n- rotated_mac \u003d rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) \u0026 63);\n-#endif\n-\n- /* This information is public so it's safe to branch based on it. */\n- if (rec-\u003eorig_len \u003e md_size + 255 + 1)\n- scan_start \u003d rec-\u003eorig_len - (md_size + 255 + 1);\n- /*\n- * div_spoiler contains a multiple of md_size that is used to cause the\n- * modulo operation to be constant time. Without this, the time varies\n- * based on the amount of padding when running on Intel chips at least.\n- * The aim of right-shifting md_size is so that the compiler doesn't\n- * figure out that it can remove div_spoiler as that would require it to\n- * prove that md_size is always even, which I hope is beyond it.\n- */\n- div_spoiler \u003d md_size \u003e\u003e 1;\n- div_spoiler \u003c\u003c\u003d (sizeof(div_spoiler) - 1) * 8;\n- rotate_offset \u003d (div_spoiler + mac_start - scan_start) % md_size;\n-\n- memset(rotated_mac, 0, md_size);\n- for (i \u003d scan_start, j \u003d 0; i \u003c rec-\u003eorig_len; i++) {\n- unsigned char mac_started \u003d constant_time_ge_8(i, mac_start);\n- unsigned char mac_ended \u003d constant_time_ge_8(i, mac_end);\n- unsigned char b \u003d rec-\u003edata[i];\n- rotated_mac[j++] |\u003d b \u0026 mac_started \u0026 ~mac_ended;\n- j \u0026\u003d constant_time_lt(j, md_size);\n- }\n-\n- /* Now rotate the MAC */\n-#if defined(CBC_MAC_ROTATE_IN_PLACE)\n- j \u003d 0;\n- for (i \u003d 0; i \u003c md_size; i++) {\n- /* in case cache-line is 32 bytes, touch second line */\n- ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];\n- out[j++] \u003d rotated_mac[rotate_offset++];\n- rotate_offset \u0026\u003d constant_time_lt(rotate_offset, md_size);\n- }\n-#else\n- memset(out, 0, md_size);\n- rotate_offset \u003d md_size - rotate_offset;\n- rotate_offset \u0026\u003d constant_time_lt(rotate_offset, md_size);\n- for (i \u003d 0; i \u003c md_size; i++) {\n- for (j \u003d 0; j \u003c md_size; j++)\n- out[j] |\u003d rotated_mac[i] \u0026 constant_time_eq_8(j, rotate_offset);\n- rotate_offset++;\n- rotate_offset \u0026\u003d constant_time_lt(rotate_offset, md_size);\n- }\n-#endif\n-}\n \n /*\n * u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in\ndiff --git a/ssl/s3_enc.c b/ssl/s3_enc.c\nindex 19cd49a..d326924 100644\n--- a/ssl/s3_enc.c\n+++ b/ssl/s3_enc.c\n@@ -480,80 +480,6 @@ void ssl3_cleanup_key_block(SSL *s)\n s-\u003es3-\u003etmp.key_block_length \u003d 0;\n }\n \n-/*-\n- * ssl3_enc encrypts/decrypts the record in |s-\u003ewrec| / |s-\u003errec|, respectively.\n- *\n- * Returns:\n- * 0: (in non-constant time) if the record is publically invalid (i.e. too\n- * short etc).\n- * 1: if the record's padding is valid / the encryption was successful.\n- * -1: if the record's padding is invalid or, if sending, an internal error\n- * occurred.\n- */\n-int ssl3_enc(SSL *s, int send)\n-{\n- SSL3_RECORD *rec;\n- EVP_CIPHER_CTX *ds;\n- unsigned long l;\n- int bs, i, mac_size \u003d 0;\n- const EVP_CIPHER *enc;\n-\n- if (send) {\n- ds \u003d s-\u003eenc_write_ctx;\n- rec \u003d RECORD_LAYER_get_wrec(\u0026s-\u003erlayer);\n- if (s-\u003eenc_write_ctx \u003d\u003d NULL)\n- enc \u003d NULL;\n- else\n- enc \u003d EVP_CIPHER_CTX_cipher(s-\u003eenc_write_ctx);\n- } else {\n- ds \u003d s-\u003eenc_read_ctx;\n- rec \u003d RECORD_LAYER_get_rrec(\u0026s-\u003erlayer);\n- if (s-\u003eenc_read_ctx \u003d\u003d NULL)\n- enc \u003d NULL;\n- else\n- enc \u003d EVP_CIPHER_CTX_cipher(s-\u003eenc_read_ctx);\n- }\n-\n- if ((s-\u003esession \u003d\u003d NULL) || (ds \u003d\u003d NULL) || (enc \u003d\u003d NULL)) {\n- memmove(rec-\u003edata, rec-\u003einput, rec-\u003elength);\n- rec-\u003einput \u003d rec-\u003edata;\n- } else {\n- l \u003d rec-\u003elength;\n- bs \u003d EVP_CIPHER_block_size(ds-\u003ecipher);\n-\n- /* COMPRESS */\n-\n- if ((bs !\u003d 1) \u0026\u0026 send) {\n- i \u003d bs - ((int)l % bs);\n-\n- /* we need to add 'i-1' padding bytes */\n- l +\u003d i;\n- /*\n- * the last of these zero bytes will be overwritten with the\n- * padding length.\n- */\n- memset(\u0026rec-\u003einput[rec-\u003elength], 0, i);\n- rec-\u003elength +\u003d i;\n- rec-\u003einput[l - 1] \u003d (i - 1);\n- }\n-\n- if (!send) {\n- if (l \u003d\u003d 0 || l % bs !\u003d 0)\n- return 0;\n- /* otherwise, rec-\u003elength \u003e\u003d bs */\n- }\n-\n- if (EVP_Cipher(ds, rec-\u003edata, rec-\u003einput, l) \u003c 1)\n- return -1;\n-\n- if (EVP_MD_CTX_md(s-\u003eread_hash) !\u003d NULL)\n- mac_size \u003d EVP_MD_CTX_size(s-\u003eread_hash);\n- if ((bs !\u003d 1) \u0026\u0026 !send)\n- return ssl3_cbc_remove_padding(s, rec, bs, mac_size);\n- }\n- return (1);\n-}\n-\n void ssl3_init_finished_mac(SSL *s)\n {\n BIO_free(s-\u003es3-\u003ehandshake_buffer);\n@@ -713,101 +639,6 @@ static int ssl3_handshake_mac(SSL *s, int md_nid,\n return ((int)ret);\n }\n \n-int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)\n-{\n- SSL3_RECORD *rec;\n- unsigned char *mac_sec, *seq;\n- EVP_MD_CTX md_ctx;\n- const EVP_MD_CTX *hash;\n- unsigned char *p, rec_char;\n- size_t md_size;\n- int npad;\n- int t;\n-\n- if (send) {\n- rec \u003d RECORD_LAYER_get_wrec(\u0026ssl-\u003erlayer);\n- mac_sec \u003d \u0026(ssl-\u003es3-\u003ewrite_mac_secret[0]);\n- seq \u003d \u0026(ssl-\u003es3-\u003ewrite_sequence[0]);\n- hash \u003d ssl-\u003ewrite_hash;\n- } else {\n- rec \u003d RECORD_LAYER_get_rrec(\u0026ssl-\u003erlayer);\n- mac_sec \u003d \u0026(ssl-\u003es3-\u003eread_mac_secret[0]);\n- seq \u003d \u0026(ssl-\u003es3-\u003eread_sequence[0]);\n- hash \u003d ssl-\u003eread_hash;\n- }\n-\n- t \u003d EVP_MD_CTX_size(hash);\n- if (t \u003c 0)\n- return -1;\n- md_size \u003d t;\n- npad \u003d (48 / md_size) * md_size;\n-\n- if (!send \u0026\u0026\n- EVP_CIPHER_CTX_mode(ssl-\u003eenc_read_ctx) \u003d\u003d EVP_CIPH_CBC_MODE \u0026\u0026\n- ssl3_cbc_record_digest_supported(hash)) {\n- /*\n- * This is a CBC-encrypted record. We must avoid leaking any\n- * timing-side channel information about how many blocks of data we\n- * are hashing because that gives an attacker a timing-oracle.\n- */\n-\n- /*-\n- * npad is, at most, 48 bytes and that's with MD5:\n- * 16 + 48 + 8 (sequence bytes) + 1 + 2 \u003d 75.\n- *\n- * With SHA-1 (the largest hash speced for SSLv3) the hash size\n- * goes up 4, but npad goes down by 8, resulting in a smaller\n- * total size.\n- */\n- unsigned char header[75];\n- unsigned j \u003d 0;\n- memcpy(header + j, mac_sec, md_size);\n- j +\u003d md_size;\n- memcpy(header + j, ssl3_pad_1, npad);\n- j +\u003d npad;\n- memcpy(header + j, seq, 8);\n- j +\u003d 8;\n- header[j++] \u003d rec-\u003etype;\n- header[j++] \u003d rec-\u003elength \u003e\u003e 8;\n- header[j++] \u003d rec-\u003elength \u0026 0xff;\n-\n- /* Final param \u003d\u003d is SSLv3 */\n- ssl3_cbc_digest_record(hash,\n- md, \u0026md_size,\n- header, rec-\u003einput,\n- rec-\u003elength + md_size, rec-\u003eorig_len,\n- mac_sec, md_size, 1);\n- } else {\n- unsigned int md_size_u;\n- /* Chop the digest off the end :-) */\n- EVP_MD_CTX_init(\u0026md_ctx);\n-\n- EVP_MD_CTX_copy_ex(\u0026md_ctx, hash);\n- EVP_DigestUpdate(\u0026md_ctx, mac_sec, md_size);\n- EVP_DigestUpdate(\u0026md_ctx, ssl3_pad_1, npad);\n- EVP_DigestUpdate(\u0026md_ctx, seq, 8);\n- rec_char \u003d rec-\u003etype;\n- EVP_DigestUpdate(\u0026md_ctx, \u0026rec_char, 1);\n- p \u003d md;\n- s2n(rec-\u003elength, p);\n- EVP_DigestUpdate(\u0026md_ctx, md, 2);\n- EVP_DigestUpdate(\u0026md_ctx, rec-\u003einput, rec-\u003elength);\n- EVP_DigestFinal_ex(\u0026md_ctx, md, NULL);\n-\n- EVP_MD_CTX_copy_ex(\u0026md_ctx, hash);\n- EVP_DigestUpdate(\u0026md_ctx, mac_sec, md_size);\n- EVP_DigestUpdate(\u0026md_ctx, ssl3_pad_2, npad);\n- EVP_DigestUpdate(\u0026md_ctx, md, md_size);\n- EVP_DigestFinal_ex(\u0026md_ctx, md, \u0026md_size_u);\n- md_size \u003d md_size_u;\n-\n- EVP_MD_CTX_cleanup(\u0026md_ctx);\n- }\n-\n- ssl3_record_sequence_update(seq);\n- return (md_size);\n-}\n-\n void ssl3_record_sequence_update(unsigned char *seq)\n {\n int i;\ndiff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h\nindex 3e13a27..55976e6 100644\n--- a/ssl/ssl_locl.h\n+++ b/ssl/ssl_locl.h\n@@ -2095,8 +2095,6 @@ __owur int ssl3_final_finish_mac(SSL *s, const char *sender, int slen,\n unsigned char *p);\n __owur int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);\n void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);\n-__owur int ssl3_enc(SSL *s, int send_data);\n-__owur int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data);\n void ssl3_free_digest_list(SSL *s);\n __owur unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk);\n __owur SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, STACK_OF(SSL_CIPHER) *clnt,\n@@ -2240,14 +2238,8 @@ void dtls1_clear(SSL *s);\n long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg);\n __owur int dtls1_shutdown(SSL *s);\n \n-\u003c\u003c\u003c\u003c\u003c\u003c\u003c HEAD\n __owur long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);\n-__owur int dtls1_get_record(SSL *s);\n __owur int do_dtls1_write(SSL *s, int type, const unsigned char *buf,\n-\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n-long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);\n-int do_dtls1_write(SSL *s, int type, const unsigned char *buf,\n-\u003e\u003e\u003e\u003e\u003e\u003e\u003e Move SSL3_RECORD oriented functions into ssl3_record.c\n unsigned int len, int create_empty_fragement);\n __owur int dtls1_dispatch_alert(SSL *s);\n \n@@ -2256,11 +2248,9 @@ void ssl_free_wbio_buffer(SSL *s);\n \n __owur int tls1_change_cipher_state(SSL *s, int which);\n __owur int tls1_setup_key_block(SSL *s);\n-__owur int tls1_enc(SSL *s, int snd);\n __owur int tls1_final_finish_mac(SSL *s,\n const char *str, int slen, unsigned char *p);\n __owur int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);\n-__owur int tls1_mac(SSL *ssl, unsigned char *md, int snd);\n __owur int tls1_generate_master_secret(SSL *s, unsigned char *out,\n unsigned char *p, int len);\n __owur int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,\n@@ -2369,14 +2359,6 @@ __owur int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,\n __owur int ssl_handshake_hash(SSL *s, unsigned char *out, int outlen);\n \n /* s3_cbc.c */\n-void ssl3_cbc_copy_mac(unsigned char *out,\n- const SSL3_RECORD *rec, unsigned md_size);\n-__owur int ssl3_cbc_remove_padding(const SSL *s,\n- SSL3_RECORD *rec,\n- unsigned block_size, unsigned mac_size);\n-__owur int tls1_cbc_remove_padding(const SSL *s,\n- SSL3_RECORD *rec,\n- unsigned block_size, unsigned mac_size);\n __owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);\n void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,\n unsigned char *md_out,\ndiff --git a/ssl/t1_enc.c b/ssl/t1_enc.c\nindex 9f876b4..80626db 100644\n--- a/ssl/t1_enc.c\n+++ b/ssl/t1_enc.c\n@@ -725,182 +725,6 @@ int tls1_setup_key_block(SSL *s)\n return (ret);\n }\n \n-/*-\n- * tls1_enc encrypts/decrypts the record in |s-\u003ewrec| / |s-\u003errec|, respectively.\n- *\n- * Returns:\n- * 0: (in non-constant time) if the record is publically invalid (i.e. too\n- * short etc).\n- * 1: if the record's padding is valid / the encryption was successful.\n- * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,\n- * an internal error occurred.\n- */\n-int tls1_enc(SSL *s, int send)\n-{\n- SSL3_RECORD *rec;\n- EVP_CIPHER_CTX *ds;\n- unsigned long l;\n- int bs, i, j, k, pad \u003d 0, ret, mac_size \u003d 0;\n- const EVP_CIPHER *enc;\n-\n- if (send) {\n- if (EVP_MD_CTX_md(s-\u003ewrite_hash)) {\n- int n \u003d EVP_MD_CTX_size(s-\u003ewrite_hash);\n- OPENSSL_assert(n \u003e\u003d 0);\n- }\n- ds \u003d s-\u003eenc_write_ctx;\n- rec \u003d RECORD_LAYER_get_wrec(\u0026s-\u003erlayer);\n- if (s-\u003eenc_write_ctx \u003d\u003d NULL)\n- enc \u003d NULL;\n- else {\n- int ivlen;\n- enc \u003d EVP_CIPHER_CTX_cipher(s-\u003eenc_write_ctx);\n- /* For TLSv1.1 and later explicit IV */\n- if (SSL_USE_EXPLICIT_IV(s)\n- \u0026\u0026 EVP_CIPHER_mode(enc) \u003d\u003d EVP_CIPH_CBC_MODE)\n- ivlen \u003d EVP_CIPHER_iv_length(enc);\n- else\n- ivlen \u003d 0;\n- if (ivlen \u003e 1) {\n- if (rec-\u003edata !\u003d rec-\u003einput)\n- /*\n- * we can't write into the input stream: Can this ever\n- * happen?? (steve)\n- */\n- fprintf(stderr,\n- \u0022%s:%d: rec-\u003edata !\u003d rec-\u003einput\u005cn\u0022,\n- __FILE__, __LINE__);\n- else if (RAND_bytes(rec-\u003einput, ivlen) \u003c\u003d 0)\n- return -1;\n- }\n- }\n- } else {\n- if (EVP_MD_CTX_md(s-\u003eread_hash)) {\n- int n \u003d EVP_MD_CTX_size(s-\u003eread_hash);\n- OPENSSL_assert(n \u003e\u003d 0);\n- }\n- ds \u003d s-\u003eenc_read_ctx;\n- rec \u003d RECORD_LAYER_get_rrec(\u0026s-\u003erlayer);\n- if (s-\u003eenc_read_ctx \u003d\u003d NULL)\n- enc \u003d NULL;\n- else\n- enc \u003d EVP_CIPHER_CTX_cipher(s-\u003eenc_read_ctx);\n- }\n-\n-#ifdef KSSL_DEBUG\n- fprintf(stderr, \u0022tls1_enc(%d)\u005cn\u0022, send);\n-#endif /* KSSL_DEBUG */\n-\n- if ((s-\u003esession \u003d\u003d NULL) || (ds \u003d\u003d NULL) || (enc \u003d\u003d NULL)) {\n- memmove(rec-\u003edata, rec-\u003einput, rec-\u003elength);\n- rec-\u003einput \u003d rec-\u003edata;\n- ret \u003d 1;\n- } else {\n- l \u003d rec-\u003elength;\n- bs \u003d EVP_CIPHER_block_size(ds-\u003ecipher);\n-\n- if (EVP_CIPHER_flags(ds-\u003ecipher) \u0026 EVP_CIPH_FLAG_AEAD_CIPHER) {\n- unsigned char buf[13], *seq;\n-\n- seq \u003d send ? s-\u003es3-\u003ewrite_sequence : s-\u003es3-\u003eread_sequence;\n-\n- if (SSL_IS_DTLS(s)) {\n- unsigned char dtlsseq[9], *p \u003d dtlsseq;\n-\n- s2n(send ? s-\u003ed1-\u003ew_epoch : s-\u003ed1-\u003er_epoch, p);\n- memcpy(p, \u0026seq[2], 6);\n- memcpy(buf, dtlsseq, 8);\n- } else {\n- memcpy(buf, seq, 8);\n- for (i \u003d 7; i \u003e\u003d 0; i--) { /* increment */\n- ++seq[i];\n- if (seq[i] !\u003d 0)\n- break;\n- }\n- }\n-\n- buf[8] \u003d rec-\u003etype;\n- buf[9] \u003d (unsigned char)(s-\u003eversion \u003e\u003e 8);\n- buf[10] \u003d (unsigned char)(s-\u003eversion);\n- buf[11] \u003d rec-\u003elength \u003e\u003e 8;\n- buf[12] \u003d rec-\u003elength \u0026 0xff;\n- pad \u003d EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf);\n- if (send) {\n- l +\u003d pad;\n- rec-\u003elength +\u003d pad;\n- }\n- } else if ((bs !\u003d 1) \u0026\u0026 send) {\n- i \u003d bs - ((int)l % bs);\n-\n- /* Add weird padding of upto 256 bytes */\n-\n- /* we need to add 'i' padding bytes of value j */\n- j \u003d i - 1;\n- if (s-\u003eoptions \u0026 SSL_OP_TLS_BLOCK_PADDING_BUG) {\n- if (s-\u003es3-\u003eflags \u0026 TLS1_FLAGS_TLS_PADDING_BUG)\n- j++;\n- }\n- for (k \u003d (int)l; k \u003c (int)(l + i); k++)\n- rec-\u003einput[k] \u003d j;\n- l +\u003d i;\n- rec-\u003elength +\u003d i;\n- }\n-#ifdef KSSL_DEBUG\n- {\n- unsigned long ui;\n- fprintf(stderr,\n- \u0022EVP_Cipher(ds\u003d%p,rec-\u003edata\u003d%p,rec-\u003einput\u003d%p,l\u003d%ld) \u003d\u003d\u003e\u005cn\u0022,\n- ds, rec-\u003edata, rec-\u003einput, l);\n- fprintf(stderr,\n- \u0022\u005ctEVP_CIPHER_CTX: %d buf_len, %d key_len [%lu %lu], %d iv_len\u005cn\u0022,\n- ds-\u003ebuf_len, ds-\u003ecipher-\u003ekey_len, DES_KEY_SZ,\n- DES_SCHEDULE_SZ, ds-\u003ecipher-\u003eiv_len);\n- fprintf(stderr, \u0022\u005ct\u005ctIV: \u0022);\n- for (i \u003d 0; i \u003c ds-\u003ecipher-\u003eiv_len; i++)\n- fprintf(stderr, \u0022%02X\u0022, ds-\u003eiv[i]);\n- fprintf(stderr, \u0022\u005cn\u0022);\n- fprintf(stderr, \u0022\u005ctrec-\u003einput\u003d\u0022);\n- for (ui \u003d 0; ui \u003c l; ui++)\n- fprintf(stderr, \u0022 %02x\u0022, rec-\u003einput[ui]);\n- fprintf(stderr, \u0022\u005cn\u0022);\n- }\n-#endif /* KSSL_DEBUG */\n-\n- if (!send) {\n- if (l \u003d\u003d 0 || l % bs !\u003d 0)\n- return 0;\n- }\n-\n- i \u003d EVP_Cipher(ds, rec-\u003edata, rec-\u003einput, l);\n- if ((EVP_CIPHER_flags(ds-\u003ecipher) \u0026 EVP_CIPH_FLAG_CUSTOM_CIPHER)\n- ? (i \u003c 0)\n- : (i \u003d\u003d 0))\n- return -1; /* AEAD can fail to verify MAC */\n- if (EVP_CIPHER_mode(enc) \u003d\u003d EVP_CIPH_GCM_MODE \u0026\u0026 !send) {\n- rec-\u003edata +\u003d EVP_GCM_TLS_EXPLICIT_IV_LEN;\n- rec-\u003einput +\u003d EVP_GCM_TLS_EXPLICIT_IV_LEN;\n- rec-\u003elength -\u003d EVP_GCM_TLS_EXPLICIT_IV_LEN;\n- }\n-#ifdef KSSL_DEBUG\n- {\n- unsigned long i;\n- fprintf(stderr, \u0022\u005ctrec-\u003edata\u003d\u0022);\n- for (i \u003d 0; i \u003c l; i++)\n- fprintf(stderr, \u0022 %02x\u0022, rec-\u003edata[i]);\n- fprintf(stderr, \u0022\u005cn\u0022);\n- }\n-#endif /* KSSL_DEBUG */\n-\n- ret \u003d 1;\n- if (!SSL_USE_ETM(s) \u0026\u0026 EVP_MD_CTX_md(s-\u003eread_hash) !\u003d NULL)\n- mac_size \u003d EVP_MD_CTX_size(s-\u003eread_hash);\n- if ((bs !\u003d 1) \u0026\u0026 !send)\n- ret \u003d tls1_cbc_remove_padding(s, rec, bs, mac_size);\n- if (pad \u0026\u0026 !send)\n- rec-\u003elength -\u003d pad;\n- }\n- return ret;\n-}\n \n int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)\n {\n@@ -957,121 +781,6 @@ int tls1_final_finish_mac(SSL *s, const char *str, int slen,\n return sizeof buf2;\n }\n \n-int tls1_mac(SSL *ssl, unsigned char *md, int send)\n-{\n- SSL3_RECORD *rec;\n- unsigned char *seq;\n- EVP_MD_CTX *hash;\n- size_t md_size;\n- int i;\n- EVP_MD_CTX hmac, *mac_ctx;\n- unsigned char header[13];\n- int stream_mac \u003d (send ? (ssl-\u003emac_flags \u0026 SSL_MAC_FLAG_WRITE_MAC_STREAM)\n- : (ssl-\u003emac_flags \u0026 SSL_MAC_FLAG_READ_MAC_STREAM));\n- int t;\n-\n- if (send) {\n- rec \u003d RECORD_LAYER_get_wrec(\u0026ssl-\u003erlayer);\n- seq \u003d \u0026(ssl-\u003es3-\u003ewrite_sequence[0]);\n- hash \u003d ssl-\u003ewrite_hash;\n- } else {\n- rec \u003d RECORD_LAYER_get_rrec(\u0026ssl-\u003erlayer);\n- seq \u003d \u0026(ssl-\u003es3-\u003eread_sequence[0]);\n- hash \u003d ssl-\u003eread_hash;\n- }\n-\n- t \u003d EVP_MD_CTX_size(hash);\n- OPENSSL_assert(t \u003e\u003d 0);\n- md_size \u003d t;\n-\n- /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */\n- if (stream_mac) {\n- mac_ctx \u003d hash;\n- } else {\n- if (!EVP_MD_CTX_copy(\u0026hmac, hash))\n- return -1;\n- mac_ctx \u003d \u0026hmac;\n- }\n-\n- if (SSL_IS_DTLS(ssl)) {\n- unsigned char dtlsseq[8], *p \u003d dtlsseq;\n-\n- s2n(send ? ssl-\u003ed1-\u003ew_epoch : ssl-\u003ed1-\u003er_epoch, p);\n- memcpy(p, \u0026seq[2], 6);\n-\n- memcpy(header, dtlsseq, 8);\n- } else\n- memcpy(header, seq, 8);\n-\n- header[8] \u003d rec-\u003etype;\n- header[9] \u003d (unsigned char)(ssl-\u003eversion \u003e\u003e 8);\n- header[10] \u003d (unsigned char)(ssl-\u003eversion);\n- header[11] \u003d (rec-\u003elength) \u003e\u003e 8;\n- header[12] \u003d (rec-\u003elength) \u0026 0xff;\n-\n- if (!send \u0026\u0026 !SSL_USE_ETM(ssl) \u0026\u0026\n- EVP_CIPHER_CTX_mode(ssl-\u003eenc_read_ctx) \u003d\u003d EVP_CIPH_CBC_MODE \u0026\u0026\n- ssl3_cbc_record_digest_supported(mac_ctx)) {\n- /*\n- * This is a CBC-encrypted record. We must avoid leaking any\n- * timing-side channel information about how many blocks of data we\n- * are hashing because that gives an attacker a timing-oracle.\n- */\n- /* Final param \u003d\u003d not SSLv3 */\n- ssl3_cbc_digest_record(mac_ctx,\n- md, \u0026md_size,\n- header, rec-\u003einput,\n- rec-\u003elength + md_size, rec-\u003eorig_len,\n- ssl-\u003es3-\u003eread_mac_secret,\n- ssl-\u003es3-\u003eread_mac_secret_size, 0);\n- } else {\n- EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));\n- EVP_DigestSignUpdate(mac_ctx, rec-\u003einput, rec-\u003elength);\n- t \u003d EVP_DigestSignFinal(mac_ctx, md, \u0026md_size);\n- OPENSSL_assert(t \u003e 0);\n- if (!send \u0026\u0026 !SSL_USE_ETM(ssl) \u0026\u0026 FIPS_mode())\n- tls_fips_digest_extra(ssl-\u003eenc_read_ctx,\n- mac_ctx, rec-\u003einput,\n- rec-\u003elength, rec-\u003eorig_len);\n- }\n-\n- if (!stream_mac)\n- EVP_MD_CTX_cleanup(\u0026hmac);\n-#ifdef TLS_DEBUG\n- fprintf(stderr, \u0022seq\u003d\u0022);\n- {\n- int z;\n- for (z \u003d 0; z \u003c 8; z++)\n- fprintf(stderr, \u0022%02X \u0022, seq[z]);\n- fprintf(stderr, \u0022\u005cn\u0022);\n- }\n- fprintf(stderr, \u0022rec\u003d\u0022);\n- {\n- unsigned int z;\n- for (z \u003d 0; z \u003c rec-\u003elength; z++)\n- fprintf(stderr, \u0022%02X \u0022, rec-\u003edata[z]);\n- fprintf(stderr, \u0022\u005cn\u0022);\n- }\n-#endif\n-\n- if (!SSL_IS_DTLS(ssl)) {\n- for (i \u003d 7; i \u003e\u003d 0; i--) {\n- ++seq[i];\n- if (seq[i] !\u003d 0)\n- break;\n- }\n- }\n-#ifdef TLS_DEBUG\n- {\n- unsigned int z;\n- for (z \u003d 0; z \u003c md_size; z++)\n- fprintf(stderr, \u0022%02X \u0022, md[z]);\n- fprintf(stderr, \u0022\u005cn\u0022);\n- }\n-#endif\n- return (md_size);\n-}\n-\n int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,\n int len)\n {\n","s":{"c":1756236768,"u": 11205}} ],"g": 15390,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}